Appendix L: Events to Monitor

Appendix L: Events to Monitor

The following table lists events that you should monitor in your environment, according to the recommendations provided in Monitoring Active Directory for Signs of Compromise. In the following table, the "Current Windows Event ID" column lists the event ID as it is implemented in versions of Windows and Windows Server that are currently in mainstream support.

The "Legacy Windows Event ID" column lists the corresponding event ID in legacy versions of Windows such as client computers running Windows XP or earlier and servers running Windows Server 2003 or earlier. The "Potential Criticality" column identifies whether the event should be considered of low, medium, or high criticality in detecting attacks, and the "Event Summary" column provides a brief description of the event.

A potential criticality of High means that one occurrence of the event should be investigated. Potential criticality of Medium or Low means that these events should only be investigated if they occur unexpectedly or in numbers that significantly exceed the expected baseline in a measured period of time. All organizations should test these recommendations in their environments before creating alerts that require mandatory investigative responses. Every environment is different, and some of the events ranked with a potential criticality of High may occur due to other harmless events.

Current Windows Event ID

Legacy Windows Event ID

Potential Criticality

Event Summary

4618

N/A

High

A monitored security event pattern has occurred.

4649

N/A

High

A replay attack was detected. May be a harmless false positive due to misconfiguration error.

4719

612

High

System audit policy was changed.

4765

N/A

High

SID History was added to an account.

4766

N/A

High

An attempt to add SID History to an account failed.

4794

N/A

High

An attempt was made to set the Directory Services Restore Mode.

4897

801

High

Role separation enabled:

4964

N/A

High

Special groups have been assigned to a new logon.

5124

N/A

High

A security setting was updated on the OCSP Responder Service

N/A

550

Medium to High

Possible denial-of-service (DoS) attack

1102

517

Medium to High

The audit log was cleared

4621

N/A

Medium

Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

4675

N/A

Medium

SIDs were filtered.

4692

N/A

Medium

Backup of data protection master key was attempted.

4693

N/A

Medium

Recovery of data protection master key was attempted.

4706

610

Medium

A new trust was created to a domain.

4713

617

Medium

Kerberos policy was changed.

4714

618

Medium

Encrypted data recovery policy was changed.

4715

N/A

Medium

The audit policy (SACL) on an object was changed.

4716

620

Medium

Trusted domain information was modified.

4724

628

Medium

An attempt was made to reset an account's password.

4727

631

Medium

A security-enabled global group was created.

4735

639

Medium

A security-enabled local group was changed.

4737

641

Medium

A security-enabled global group was changed.

4739

643

Medium

Domain Policy was changed.

4754

658

Medium

A security-enabled universal group was created.

4755

659

Medium

A security-enabled universal group was changed.

4764

667

Medium

A security-disabled group was deleted

4764

668

Medium

A group's type was changed.

4780

684

Medium

The ACL was set on accounts which are members of administrators groups.

4816

N/A

Medium

RPC detected an integrity violation while decrypting an incoming message.

4865

N/A

Medium

A trusted forest information entry was added.

4866

N/A

Medium

A trusted forest information entry was removed.

4867

N/A

Medium

A trusted forest information entry was modified.

4868

772

Medium

The certificate manager denied a pending certificate request.

4870

774

Medium

Certificate Services revoked a certificate.

4882

786

Medium

The security permissions for Certificate Services changed.

4885

789

Medium

The audit filter for Certificate Services changed.

4890

794

Medium

The certificate manager settings for Certificate Services changed.

4892

796

Medium

A property of Certificate Services changed.

4896

800

Medium

One or more rows have been deleted from the certificate database.

4906

N/A

Medium

The CrashOnAuditFail value has changed.

4907

N/A

Medium

Auditing settings on object were changed.

4908

N/A

Medium

Special Groups Logon table modified.

4912

807

Medium

Per User Audit Policy was changed.

4960

N/A

Medium

IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.

4961

N/A

Medium

IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.

4962

N/A

Medium

IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.

4963

N/A

Medium

IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

4965

N/A

Medium

IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.

4976

N/A

Medium

During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

4977

N/A

Medium

During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

4978

N/A

Medium

During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

4983

N/A

Medium

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

4984

N/A

Medium

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

5027

N/A

Medium

The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.

5028

N/A

Medium

The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.

5029

N/A

Medium

The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

5120

N/A

Medium

OCSP Responder Service Started

5121

N/A

Medium

OCSP Responder Service Stopped

5122

N/A

Medium

A configuration entry changed in OCSP Responder Service

5123

N/A

Medium

A configuration entry changed in OCSP Responder Service

5376

N/A

Medium

Credential Manager credentials were backed up.

5377

N/A

Medium

Credential Manager credentials were restored from a backup.

5453

N/A

Medium

An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

5480

N/A

Medium

IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

5483

N/A

Medium

IPsec Services failed to initialize RPC server. IPsec Services could not be started.

5484

N/A

Medium

IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

5485

N/A

Medium

IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

6145

N/A

Medium

One or more errors occurred while processing security policy in the Group Policy objects.

6273

N/A

Medium

Network Policy Server denied access to a user.

6274

N/A

Medium

Network Policy Server discarded the request for a user.

6275

N/A

Medium

Network Policy Server discarded the accounting request for a user.

6276

N/A

Medium

Network Policy Server quarantined a user.

6277

N/A

Medium

Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

6278

N/A

Medium

Network Policy Server granted full access to a user because the host met the defined health policy.

PAStore Engine failed to apply local registry storage IPsec policy on the computer.

5462

N/A

Low

PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.

5463

N/A

Low

PAStore Engine polled for changes to the active IPsec policy and detected no changes.

5464

N/A

Low

PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.

5465

N/A

Low

PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.

5466

N/A

Low

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.

5467

N/A

Low

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.

5468

N/A

Low

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.

5471

N/A

Low

PAStore Engine loaded local storage IPsec policy on the computer.

5472

N/A

Low

PAStore Engine failed to load local storage IPsec policy on the computer.

Collaborate: Multiple SOC and CERT analysts can simultaneously collaborate on investigations. Thanks to the built-in flow, real time information pertaining to new and existing cases, tasks, observables and IOCs is available to all team members. Special notifications allow them to handle or assign new tasks, preview new MISP events and investigate them right away.

Elaborate: Cases and associated tasks can be created using a simple yet powerful template engine. You may add metrics to your templates to drive your team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks. Each task can have multiple work logs to record the ongoing work, attach pieces of evidence or noteworthy files.

Analyze: Add one, hundreds or thousands of observables to each case that you create or import them directly from a MISP event. Quickly triage and filter them. Harness the provided analyzers or create your own to gain precious insight and speed up your investigation. Leverage tags, flag IOCs, and identify previously seen observables to feed your threat intelligence.

InfoSec skills are in such high demand right now. As the world continues to turn everything into an app and connect even the most basic devices to the internet, the demand is only going to grow, so it’s no surprise everyone wants to learn hacking these days.

However, almost every day I come across a forum post where someone is asking where they should begin to learn hacking or how to practice hacking. I’ve compiled this list of some of the best hacking sites to hopefully be a valuable resource for those wondering how they can build and practice their hacking skill set. I hope you find this list helpful, and if you know of any other quality hacking sites, please let me know in the comments, so I can add them to the list.

On CTF365 users build and defend their own servers while launching attacks on other users’ servers. The CTF365training environment is designed for security professionals who are interested in training their offensive skills or sysadmins interested in improving their defensive skills. If you are a beginner to infosec, you can sign up for a free beginner account and get your feet wet with some pre-configured vulnerable servers.

OverTheWire is designed for people of all experience levels to learn and practice security concepts. Absolute beginners are going to want to start on the Bandit challenges because they are the building blocks you’ll use to complete the other challenges.

Hacking-Lab provides the CTF challenges for the European Cyber Security Challenge, but they also host ongoing challenges on their platform that anyone can participate in. Just register a free account, setup vpn and start exploring the challenges they offer.

pwnable.krfocuses on ‘pwn’ challenges, similar to CTF, which require you find, read and submit ‘flag’ files corresponding to each challenge. You must use some sort of programming, reverse-engineering or exploitation skill to access the content of the files before you are able to submit the solution.

They divide up the challenge into 4 skill levels: Toddler’s Bottle, Rookiss, Grotesque and Hacker’s Secret. Toddler’s Bottle are very easy challenges for beginners, Rookiss is rookie level exploitation challenges, Grotesque challenges become much more difficult and painful to solve and, finally, Hacker’s Secret challenges require special techniques to solve.

IO is a wargame from the createors of netgarage.org, a community project where like-minded people share knowledge about security, AI, VR and more. They’ve created 3 versions, IO, IO64 and IOarm, with IO being the most mature. Connect to IO via SSH and you can begin hacking on their challenges.

Microcorruption is an embedded security CTF where you have to reverse engineer fictional Lockitall electronic lock devices. The Lockitall devices secure the bearer bounds housed in warehouses owned by the also fictional Cy Yombinator company. Along the way you’ll learn some assembly, how to use a debugger, how to single step the lock code, set breakpoints, and examine memory all in an attempt to steal the bearer bonds from the warehouses.

reversing.kr has 26 challenges to test your cracking and reverse engineering abilities. The site hasn’t been updated since the end of 2012, but the challenges available are still valuable learning resources.

Hack This Site is a free wargames site to test and expand your hacking skills. It features numerous hacking missions across multiple categories including Basic, Realistic, Application, Programming, Phonephreaking, JavaScript, Forensic, Extbasic, Stego and IRC missions. It also boasts a large community with a large catalog of hacking articles and a forum for to have discussions on security related topics. Finally, they’ve recently announced they are going to be overhauling the dated site and codebase, so expect some big improvements in the coming months.

W3Challs is a pentesting training platform with numerous challenges across different categories including Hacking, Cracking, Wargames, Forensic, Cryptography, Steganography and Programming. The aim of the platform is to provide realistic challenges, not simulations and points are awarded based on the difficulty of the challenge (easy, medium, hard). There’s a forum where you can discuss and walkthrough the challenges with other members.

Exploit Exercises provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.

RingZer0 Team Online CTF offers a ton of challenges, 234 as of this post, that will test your hacking skills across multiple categories including Cryptography, Jail Escaping, Malware Analysis, SQL Injection, Shellcoding and more. After you successfully complete a challenge, you can write up your solution and submit it to the RingZer0 Team. If your write up is accepted, you’ll earn RingZer0Gold which can be exchanged for hints during future challenges.

Hellbound Hackers offers traditional exploit challenges, but they also offer some challenges that others don’t such as web and app patching and timed challenges. The web and app patching challenges have you evaluating a small snippet of code, identifying the exploitable line of code and suggesting a the code to patch it. The timed challenges have the extra constraint of solving the challenge in a set amount of time. I thought these two categories were a cool differentiator from most other CTF sites.

Hack.me is a large collection of vulnerable web apps for practicing your offensive hacking skills. All vulnerable web apps are contributed by the community and each one can be run on the fly in a safe, isolated sandbox.

HackThis!! is comprised of 50+ hacking levels with each worth a set number of points depending on its difficulty level. Similar to Hack This Site, HackThis!! also features a lively community, numerous hacking related articles and news, and a forum where you can discuss the levels and a security related topics that might be of interest to you.

Google Gruyere shows how web application vulnerabilities can be exploited and how to defend against these attacks. You’ll get a chance to do some real penetration testing and actually exploit a real application with attacks like XSS and XSRF.

Game of Hacks presents you with a series of code snippets, multiple choice quiz style, and you must identify the correct vulnerability in the code. While it’s not nearly as in depth as the others on this list, it’s a nice game for identifying vulnerabilities within source code.

While CTFtime is not a hacking site like the others on this list, it is great resource to stay up to date on CTF events happening around the globe. So if you’re interested in joining a CTF team or participating in an event, then this is the resource for you.

smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation. The syntax is loosely based on Jasmin’s/dedexer’s syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)

Unlike Google’s own Android Software Development Kit debugging tools, AndBug does not require or expect source code. It does, however, require that you have some level of comfort with Python, as it uses a concept of scripted breakpoints, called “hooks”, for most nontrivial tasks.

A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with an app easier because of project-like file structure and automation of some repetitive tasks like building apk, etc.

Features:

Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs)

Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techniques developed for traditional Java applications.

Dedexer is a disassembler tool for DEX files. DEX is a format introduced by the creators of the Android platform. The format and the associated opcode set is in distant relationship with the Java class file format and Java bytecodes. Dedexer is able to read the DEX format and turn into an “assembly-like format”. This format was largely influenced by the Jasmin syntax but contains Dalvik opcodes. For this reason, Jasmin is not able to compile the generated files.

The aim of the project is to demonstrate that a simple debugging functionality on *nix systems a.k.a ptrace() can be abused by malware to inject malicious code in remote processes. Indroid provides CreateRemoteThread() equivalent for ARM based *nix devices.

If you want to get a more deeper insight into the working of the framework you may:

Intent Sniffer is a tool that can be used on any device using the Google Android operating system (OS). On the Android OS, an Intent is description of an action to be performed, such as startService to start a service. The Intent Sniffer tool performs monitoring of runtime routed broadcasts Intents. It does not see explicit broadcast Intents, but defaults to (mostly) unprivileged broadcasts. There is an option to see recent tasks Intents (GET_TASKS), as Activity’s intents are visible when started. The tool can also dynamically update Actions & Categories.

Redexer is a reengineering tool that manipulates Android app binaries. This tool is able to parse a DEX file into an in-memory data structure; to infer with which parameters the app uses certain permissions (we name this feature RefineDroid); to modify and unparse that data structure to produce an output DEX file (we name these features Dr. Android, which stands for Dalvik Rewriting for Android).

Simplify virtually executes an app to understand its behavior and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn’t matter what the specific type of obfuscation is used.

It’s written completely in Java, and it’s open sourced. It’s currently being maintained and developed by Konloch.

There is also a plugin system that will allow you to interact with the loaded classfiles, for example you can write a String deobfuscator, a malicious code searcher, or something else you can think of.

You can either use one of the pre-written plugins, or write your own. It supports groovy scripting. Once a plugin is activated, it will execute the plugin with a ClassNode ArrayList of every single class loaded in BCV, this allows the user to handle it completely using ASM.

r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files.

Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later added support for reversing apks, analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, etc…